I have seen the steps to configure multiple OWA/ECP virtual directories on Exchange CAS on technet in order to eliminate internet access to Exchange EAC - http://blogs.technet.com/b/exchange/archive/2015/02/11/configuring-multiple-owa-ecp-virtual-directories-on-the-exchange-2013-client-access-server-role.aspx. Our org really doesn't need to have OWA, ECP, EWS, OA, or PS exposed to the outside world at all - we ONLY need to have internet access to AS.  What I would like to do is set up a secondary website for ActiveSync (similar to the method described in the link) and then port forward 443 from the firewall to the secondary website IP (which would be on the one and only CAS server) and effectively remove all these other services from being exposed to the internet.  Does anybody have any ideas or experience with this type of change that can offer some help?  We are a very small company and cannot purchase extra hardware to make entirely different CAS server for this.  Thanks in advance for thoughts/comments.
G

I would stand up a separate CAS.  I've never tried setting up separate ActiveSync virtual directories and I don't think it's supported.

Thanks for the reply Ed.  I wish I could do it this way, but the problem is that we are a small company and don't really have the money for another Windows server license, Exchange server license and the hardware to run it on.  Seems like another point is that by adding a second CAS and forwarding 443 to it, I am essentially right back where I was with all the services exposed, right?  Wouldn't another CAS make a new instance of all the services that we don't need to have exposed to the internet?  If there is a way to just disable the everything except ActiveSync and EWS on the current CAS that is supported, then I could follow the recommendations in the article linked above to gain access to the EAC and forget about everything else.  We do not need OWA (other than as required for EAC) internally or externally.

• Edited by gmwood 17 hours 7 minutes ago

Thanks for the reply Ed.  I wish I could do it this way, but the problem is that we are a small company and don't really have the money for another Windows server license, Exchange server license and the hardware to run it on.  Seems like another point is that by adding a second CAS and forwarding 443 to it, I am essentially right back where I was with all the services exposed, right?  Wouldn't another CAS make a new instance of all the services that we don't need to have exposed to the internet?  If there is a way to just disable the everything except ActiveSync and EWS on the current CAS that is supported, then I could follow the recommendations in the article linked above to gain access to the EAC and forget about everything else.  We do not need OWA (other than as required for EAC) internally or externally.

• Edited by gmwood Tuesday, April 14, 2015 2:20 PM

You could remove the other virtual directories on that CAS, I believe.

A better option might be to configure a reverse proxy to block everything at the firewall except ActiveSync and maybe Autodiscover.

Another option is to obtain a mobile device management cloud service like MobileIron, which would allow you to keep from exposing your Exchange Server to the general Internet, only allowing MobileIron to connect.

Thanks again for the reply.  I will look into reverse proxy, before ripping out the virtual directories.

You don't want to rip the virtual directories out of your primary CAS, or you'll break several things.

Yea, I was thinking this might be the case.  I was able to get it working with a reverse proxy - at least with one device - will see what happens when we add some more, but at least the only thing I have to do if it stops working for some reason is to redirect the port back to Exchange. Thanks for the help.

Glad you found an answer and happy to have helped.